GDPR explicitat (3): Respectați principiile și demonstrați-vă conformitatea activităților

AU MAI RĂMAS 318 zile

GDPR Ready! este o inițiativă care își propune să asigure un transfer deschis de know-how către toți cei interesați de asigurarea conformității cu Regulamentul Uniunii Europene 679/ 2016, care va intra în vigoare pe 25 mai 2018.

 

Și iată-ne ajunși la partea de principii. Sub GDPR, principiile de protecție a datelor stabilesc principalele responsabilități pentru organizații. Principiile sunt similare cu cele din Legea 95/, cu detalii adăugate la  anumite puncte și o nouă cerință pentru responsabilitate. În fond, acest principiu al responsabilității este unul dintre vectorii cheie ai GDPR. Operatorii de date personale sunt obligați nu numai să respecte aceste principii, ci și să demonstreze modul în care sunt activitățile lor sunt conforme cu principiile prelucrării datelor personale.  Dar hai sa le vedem pe rând.

Care sunt principiile GDPR? Le găsim în Art.5: ”Principii legate de prelucrarea datelor cu caracter personal”:

a). Legalitate, echitate şi transparenţă – acesta este un principiu esențial, strâns asociat cu drepturile fundamentale ale omului. Datele cu caracter personal trebuie să fie prelucrate ”în mod legal, echitabil şi transparent faţă de persoana vizată.”

b). Limitări legate de scop – datele personale trebuie să fie colectate în scopuri bine determinate, explicite şi legitime, iar prelucrările ulterioare nu trebuie să se abată de la aceste scopuri. E important aici să reținem că prelucrarea publica prin arhivare, pentru cercetare ştiinţifică/ istorică sau pentru analize statistice nu se considera ca deviantă de la scopurile iniţiale – așa cum se arată în Art. 89, alin. 1.

c). Reducerea la minimum a datelor – prin acest principiu operatorii sunt avizați de faptul că orice colectare de date personale trebuie foarte bine analizată înainte de obținerea efectivă a datelor, care trebuie să fie cele mai relevante și strict limitate la ceea ce este absolut necesar pentru scopurile în care sunt prelucrate.

d). Exactitatea informațiilor – operatorii trebuie să se ia toate măsurile pentru a asigura validitatea datelor, iar cele dovedite inexacte trebuie actualizate rapid sau șterse.

e). Limitarea stocării – datele trebuie păstrate fix atâta timp cât sunt necesare pentru pelucrarea asumată. Perioadele mai lungi de stocare sunt excepții asociate cu activități publice de arhivare, cercetare sau statistica, conform Art. 89, alin. 1.

f). Integritate și confidențialitate – iarăși un principiu esențial. Prelucrarea datelor personale trebuie făcută în cele mai proprii condiții de siguranță, care să includă ”protecţia împotriva prelucrării neautorizate sau ilegale şi împotriva pierderii, a distrugerii sau a deteriorării accidentale, prin luarea de măsuri tehnice sau organizatorice corespunzătoare”.   Din punctul meu de vedere, acesta este un vortex al GDPR. Cine nu respectă acest principiu este direct expus la breșe de securitate și confidențialitate, fiind un candidat sigur pentru extrem de severele penalități.

Așa cum spuneam și puțin mai sus, în partea introductivă a acestui articol, aceste principii se regăsesc și în legislația actuală. Dacă luăm Directiva 95/ 46 EC la Art. 6 din Capitolul ”Principii legate de calitatea datelor” găsim că datele cu caracter personal trebuie să fie:

a). prelucrate cu bună-credință – conform dispozițiilor legale;

b). colectate în scopuri determinate, explicite şi legitime – cu același amendament legat de prelucrarea științifică și statistică, dar fără operațiunile de arhivare în interes public prezente în GDPR;

c). adecvate, pertinente şi neexcesive – prin raportare la scopul în care sunt colectate şi ulterior prelucrate;

d). exacte şi, dacă este cazul, actualizate –  cu recomandarea ca datele inexacte sau incomplete să fie şterse sau rectificate;

e). stocate într-o formă care să permită identificarea persoanelor vizate strict pe durata necesară – cu completarea legată de condițiile și garanțiile aferente stocării pe termen lung.

Marea diferență față de textul Directivei 95/ 47 apare la Aliniatul 2:

  • În Directiva Comisiei Europene (Art.6, Alin.2) se arată că: ”Operatorul trebuie să se asigure că se respectă alineatul (1)”
  • În GDPR (Art. 5, Alin.2) apare clar principiul responsabilității: ”Operatorul trebuie să fie responsabil de respectarea alineatului (1) şi să poată demonstra această respectare (“responsabilitate”).”

Cu alte cuvinte, cea mai importantă adăugare la GDPR este principiul responsabilității. GDPR vă cere nu numai să respectați principiile – de exemplu, prin documentarea deciziilor luate cu privire la o activitate de procesare, ci și să demonstrați oricând această responsabilitate. Dar, în opinia mea, noțiunea de ”accountability”, introdusă în textul original al GDPR  înseamnă puțin mai mult decât o simplă ”responsabilitate”. Descrierea Cambridge English Dictionary e concludentă pentru asta: ”Someone who is accountable is completely responsible for what they do and must be able to give a satisfactory reason for it”

Mergând la textul legislației naționale, paragraful 2 din Art. 4 nu diferă forte mult de conținutul Art. 5 din GDPR. Astfel, în Legea 677/2001, Art.4, Alin 2. se specifică: Operatorul este responsabil de respectarea alineatului (1) şi poate demonstra această respectare (“responsabilitate”).”

Concluzionând, iată ce am reținut ca extrem de important din capitolul despre Principii (a se vedea GDPR Considerentul 39):

  • Orice prelucrare de date cu caracter personal trebuie să fie legală şi echitabilă.
  • Principiul transparenţei prevede că orice informaţii şi comunicări referitoare la prelucrarea respectivelor date cu caracter personal trebuie să fie uşor accesibile şi uşor de înţeles şi că se utilizează un limbaj simplu şi clar.
  • Persoanele fizice trebuie informate cu privire la riscurile, normele, garanţiile şi drepturile în materie de prelucrare a datelor cu caracter personal şi cu privire la modul în care să îşi exercite drepturile în legătură cu prelucrarea.
  • Scopurile specifice în care datele cu caracter personal sunt prelucrate trebuie să fie explicite şi legitime şi să fie determinate la momentul colectării datelor respective.
  • Datele cu caracter personal trebuie să fie adecvate, relevante şi limitate la ceea ce este necesar pentru scopurile în care sunt prelucrate.
  • Datele cu caracter personal ar trebui prelucrate doar dacă scopul prelucrării nu poate fi îndeplinit în mod rezonabil prin alte mijloace.
  • Operatorul trebuie să stabilească termene pentru ștergere sau revizuirea periodică.
  • Datele personale trebuie prelucrate într-un mod care să asigure în mod adecvat securitatea şi confidențialitatea, inclusiv în scopul prevenirii accesului neautorizat la acestea sau utilizarea neautorizată a datelor cu caracter personal şi a echipamentului utilizat pentru prelucrare.

Urmăriți articolele publicate în cadrul inițiativei GDPR Ready! În următorul material ne vom ocupa de Legalitatea prelucrării datelor cu caracter personal – Art. 6 din GDPR.

Articole anterioare:

Advertisements

IDC Security Roadshow 2017; in Bucharest a Real Show!

 

Keeping the same direct dialogue style from announcing article “IDC Roadshow 2017 is coming in Bucharest”, I want to ask yesterday participants if all I promised was happen. Did you think my participation invitation arguments have not been confirmed by the event? Anyone is free to complain posting personal opinions on the comments area… What I want, and I consider it more important, is to show those who could not come, what they had to lose…

So, it was 2017 edition of IDC Roadshow, and Bucharest was the 10th location in CEE region. I don’t know what’s happening in other cities, but I can confirm in Bucharest it was a real show! And here are my key arguments:

First, through the new approach to IT security issues, a field where never-ending novelty is no longer new… We are in a multi-platform era and any CISO should think to data security challenges from duality perspective.  How to improve security posture and resource efficiency at the same time. Data protection is at the same time a management and an IT challenge, covering a lot of vulnerabilities points from access controls and privileged user management, to data encryption and prevention, to policy and compliance deploying, and development of an effective data security culture for the whole company.

Second, the Conference Agenda, which balanced and alternated in a natural way keynotes speeches and new security concepts (Mark Child – CEE Security Practice Lead IDC, Liviu Stoica – president Agency for Romanian Digital Agenda, Gabriel Nicolaescu – Novatech, Puiu Leontescu – Palo Alto Networks, Marian Gheorghe – Telekom)  with discussion panels (CISO perspective: CEC Bank, Omniasig VIG, Dacia Renault and Client and the Vendor: Urgent Targus, Novatech, Palo Alto Networks) , live demo  and two dedicated breakout sessions focusing on of hottest  subject of the moment: The WannaCry Impact for security industry and the new EU regulation 2016/ 679 concerning the personal data privacy (GDPR).

Third, the professional quality of the speakers and discussion panels participants. Personal, for me, it was a very nice surprise to hear and to meet top level professionals, with long-time and rich expertise in their activity areas like Gabriel Nicolaescu – BDM Novatech, Puiu Leontescu – System Engineer Palo Alto Networks, Cristina Metea – Legal Adviser Microsoft Romania, Catalina Dodu – Country Manager Atos Romania, Adrien Viaod – Field Application Engineer Kingston, Emil Gagala – Network and Security Architect VMware, and Alex Balan – Chief Security Researcher Bitdefender.

Fourth, and somewhat related to the previous one, was the active presence with presentations and especially comments on the personal experience of a very representative CISO & CIO pool, from all essential industries for protecting information, like banking (Razvan Grigorescu – Information Security Manager/ CISO CEC Bank, Cristian Goiceanu – CSO & Executive Director, BCR, and Andrei Vilcan – Head of Information Security, Banca Transilvania),  insurance (Adrian Baciu – CISO Omniasig VIG), manufacturing (Daniel Dinu – CISO Dacia Renault), utilities (Eusebiu Rotaru – IT Infrastructure Manager Electrica Distributie), telecom (Marian Gheorghe – Business Segment ICT and Sales Key Accounts Director Telekom) and logistic services (Marian Pletea – CIO Urgent Cargus), until to the governmental representatives (Liviu Stoica – President. Agency for the Romanian Digital Agenda).

Fifth, the professional involvement of IDC staf, which well managed a very difficult event. I know from my own experience the necessary efforts to better organize such international event. It was a nice surprise for me to note the professional infusion brought by the new team of  IDC Romania, active represented during all conference by Alina Georgescu – Country Manager and Razvan Savu – Senior Consultant & Senior Research Analyst. Besides the effervescence of the young team, a great value contribution to the event success was conferred by the presence of Mark Child, a regional information security expert with a rich experience in IDC’s research projects since 2004.

So, is not time and space to write here more details about the Roadshow presentations. This will be included in next articles. What I consider important to point here are three moments with large impact for all audience.

The hacking live demo sustained by Senior Information Security Consultants Gabriel Avramescu from Bucharest and Radu Stăneascu from Bruxelles show us how simple is for a hacker to penetrate our computers and to destroy/ steal critical data, by a simple access on a malicious site. It was a very simple technical live demo showing how easy is for any medium experienced hacker to penetrate our systems In the absence of elementary protection measures and cyber security culture.

Another interesting moment was the discussions panel moderated by Razvan Savu from IDC, dedicated to a real case: the business transformation process faced by Urgent Cargus, a former Romanian company acquired by Deutsche Post DHL in 2008.  Operational problems and the challenges caused by the lack of integration of the platforms and systems was the main discussion subjects, and in the same time, the challenging issues opened by Marian Pletea – CIO Urgent Cargus to Gabriel Nicolaescu from Novatech, and Puiu Leontescu from Palo Alto Networks. Both specialists offered their general strategy for the concrete case solving, commented and amended by the Urgent Cargus CIO.

Finally, a few words about a special panel session dedicated to GDPR, moderated by Andreea Lisievich – Data Privacy Lawyer and having as guests Cristina Metea from Microsoft, Catalina Dodu from Atos, and  Cristian Goiceanu – CSO & Executive Director at BCR. As I know it was one of the first UE regulation debate sustained by private company representants, included in a security conference. After a short introduction in the new GDPR regulation made by Andreea Lisievich, participants discussed the vital importance for any company to become compliant with this regulation. Special attention has been given to the new provisions of the regulation that will enter into force on May 25, 2018, and what attitude must be adopted by any company operating with personal data to comply with the new provisions. Other important issue discussed:

  • Errors of interpretation that may arise from the current Romanian translation of the Regulation
  • What are personal data involved
  • Who and How is processing personal data
  • Which are the situations a DPO role is necessary?
  • Which competencies should a DPO have?
  • How important are the data incidents announcements
  • When is necessary to announce the citizens about a possible personal data incident?
  • How should citizens react when they receive a possible incident notification?
  • Which are specific problems for a Cloud services provider?
GDPR is a big challenge for any personal data operating companies. There are a lot of unclear issues related to “What we have to do” action plan. Follow the actions proposed by the GDPR Ready initiative to get answers to the issues raised by personal data processing compliance in real time.

 

Concluding, IDC Security Roadshow, 2017 edition was something new. A new event concept for a very sensitive subject: information security. A well balanced and interesting Agenda. A very high professional level of participants. professional high level. A very representative presence of big companies CISO. A very important contribution to IDC organising team during all the event.

The Digital transformation hurricane is involving a lot of new technologies, opening the Pandora’s Box for a lot of new threats to cyber security. In order to prevent and to limit any vulnerability, important is to know this threat, to manage the associated risks, to develop a company culture for data protection, and to implement a business continuity strategy.  

IDC Security Roadshow 2017 is coming in Bucharest

Just one week until the new edition of IDC Security Roadshow, transforming Bucharest for one day in the Europen capital of cyber security. Reflecting the trend of recent years that attracted a multitude of border technologies in the hurricane of digital transformation, opening the Pandora’s Box for new threats of cyber security, this year edition of IDC Security Roadshow will focus on the information security issues in multi-platform era.

It is true, a lot of cyber security conferences were organised in the last period. And this is perfectly normal, thinking to the strategic importance of the field. If you still have doubts, if you are not yet clear that it is worth attending the IDC Roadshow, take a look at the event Agenda and you will see it worth it. The main security market trends in CEE will be analysed in the opening keynote ”Information Security in the Multi-Platform Era”, sustained by Mark Child, CEE Security Practice Lead at IDC CEMA. After that Gabriel Nicolăescu, Business Development Director at NOVATECH will conduct us in a CISO strange adventure in Alice (and Bob) In The New Wonderland. The misadventures of a CISO in the brave new world of…”

If I have not convinced you so far, maybe a hacking demonstration could be a good reason for you to postpone your business routines in another day and to come to the IDC Roadshow on June 8th. Come to assist two Senior Information Security Consultants Radu Stăneascu and Gabriel Avramescu in their “Live Demo Hacking.”

Are your organisations in a permanent search for solutions to consolidate your security infrastructure? See how Palo Alto Networks Next-Generation Security Platform, presented by Puiu Leontescu, can help you to address your company cutting costs with superior security solution and an effective TCO.

Okay, you might say: ”maybe it’s worth writing at least for the first part of the conference, and after that, I go back to my office to resolve my affairs.” Don’t rush …, look again on the agenda and you will see that the themes approached by the two parallel sessions in the second half of the program will make you regret that you can not split into two. In this case, the ideal solution is to convince a colleague to come to the IDC Roadshow. So you will be able to participate each one at one breakout session and then share the information. These sessions will cover two subjects with a strategic role in any CSO activity: End-point defence and Data-Centric Security.

Guerrilla fights with cyber criminals never end, and it’s enough to think of the nightmare weekend created by WannaCry, described by Eugene Kaspersky as ”a ransomware with a very low code quality, and a lot of bugs that gives victims a chance to restore data using free utilities for file recovery”… End-point defence session will cover ”The WannaCry Impact” analysed by Mark Child from IDC, a Novatech Case Study presented by Marius Marinescu, CTO at Novatech, the last development brief ”Bitdefender – Trademark For Innovation!” made by Alex Balan, Chief Security Researcher, and another Case Study presented by Eusebiu Rotaru, Manager IT Infrastructure at Electrica Distribution.

Regulations achievement and standards compliance could be other nightmare reasons for a CIO or a CSO. And speaking about the new EU regulation concerning the personal data privacy (GDPR), the issues become more critical. Of course, you can think that GDPR is not your problem, but the company’s administrators and lawyers. Don’t think like this because in the new European regulation there is an important amount of specifications that directly target the technological and operational components in any organisation is managing personal data. And this should interest you directly. Don’t forget: until the implementation of the new EU Regulation 679/2016 (25 May 2018), we have less than one year… IDC invited Alexei Proskura – Security Program Director at IDC CEE, Catalina Dodu – Country Manager Atos IT Solutions and Services, Cristina Metea – Legal Advisor at Microsoft Romania, and Andreea Lisievici – Data Privacy Lawyer to discuss a critical issue related to EU Regulation compliance for any company is processing personal data.

So, hoping I already convinced you, don’t forget we have just one week until the event. All you have to do is to sign up on the special page created by IDC at http://idcitsecurity.com/bucharest/registration

 

IBM Watson for Cyber Security: Opening a New Cognitive Security Era

Security analysts at IBM X-Force Command Centers are using Watson to augment their investigations into cybersecurity incidents. The company debuted Watson for Cyber Security, built on a corpus of over 1 million security documents. IBM analyst are also experimenting with a new virtual assistant which uses voice response technology." (John Mottern/Feature Photo Service for IBM)

Security analysts at IBM X-Force Command Centers are using Watson to augment their investigations into cyber security incidents. Image source: IBM

Watson for SOC is here! During the RSA Security conference from this week in San Francisco IBM announced the availability of Watson for Cyber Security powering cognitive Security Operations Centers (SOCs). Apparently a new announcement, like other thousand in the techno field, marking the innovation adoption and just another milestone in the evolution spiral…

But many peoples are considering this more than a simple announcement… Bringing the power of Watson and Cognitive Computing to the Security Operations Center is the opening of a new era in cyber security solutions industry. A cognitive security era. Let’s see what is exactly behind this simple integration announcement. Over the past year, Watson has been trained. To properly learn the cybersecurity language Watson ingested in last year more than over 1 million security documents. Based on this knowledge legacy Watson helps now all security analysts to research thousands of natural language reports. Any modern security tool could not do this before…

Even if you know something, you never could imagine the real dimension of cyber security fight. The dark reality is now 80% of world unstructured data was invisible for traditional security watch systems. According to IBM research, more than 10000 of security resource papers, 180000 articles and 720000 security blogs are released each year, without a central repository possibility and a coherent analyse. As result, most data remains unknown and unusual for worldwide cyber security defence.

ibm-watson-b-roll

Click on the picture to watch IBM Watson Cyber Security B-Roll

Starting from now data security professionals can quickly access, analyse and interpret all these 80% underwater unstructured data “created by humans, for humans” and integrate it with structured provided by thousands of sources. Watson for Cyber Security is integrated with cognitive technologies allowing the new Cognitive SOC platform to analyse and signal threats coming from endpoints, network, users and Cloud.

Cognitive security solutions are based on frontier technologies like machine learning and natural language processing, trying to reproduce the functions and mechanisms of the human brain. Using Watson security the researcher can quickly analyse multiple streams of data and compare it with the latest security attacks, providing a more intelligent picture of the threat and generating real-time reports to potential events detected.

The core engine of Watson for Cognitive SOC platform is IBM QRadar Advisor with Watson, a new application tested by more than 40 worldwide partners and clients to augment analysts’ investigations into cyber security incidents. The IBM QRadar Advisor with Watson app enhances security analysts’ cognitive capabilities in their investigations and remediation through IBM’s QRadar security intelligence platform. The solution is helping in the possible threats detection by correlating Watson’s natural language processing capabilities across security research works, Websites and blog pages, and thousands of other sources. This could reduce any cyber security investigations from weeks or days to minutes.

According to the IBM Institute research “Cyber security in the Cognitive Era”, only 7 % of security professionals are using today cognitive tools… The IBM Cognitive SOC platform brings cognitive methodologies into security analyst’s desktop, enhancing their proactivity to fill security knowledge breaches and to act with speed and efficiency.

ibm-watson-2

Image source: IBM

Driven by the dramatic growth in security incidents IBM invested also in research to bring cognitive tools into its global X-Force Command Center network, including a Watson-powered chatbot currently used in the interactions with IBM Managed Security Services customers. This new communication and collaboration tool can manage over 1 trillion security events per month. Using instant messaging, clients can ask Watson questions about their security status or network configuration.

IBM’s global network of X-Force Command Centers is using IBM’s cognitive capabilities like QRadar Advisor with Watson to enhance the investigation of security events. Over the past five years, IBM has built over 300 security operations centres for clients in all strategic industries. As part of the IBM X-Force Command Center network, any company can choose to have their IBM Cognitive SOC on-premise or via the IBM Cloud.

IBM also announced a new research project, code-named Havyn, having as a goal to create a voice-powered security assistant that can interact with security analysts on topics such as real-time threat updates and information on an organisation’s security issues. The Havyn project is integrating Watson APIs, BlueMix and IBM Cloud to provide real-time response to verbal requests and commands. Havyn is accessing data from open source security intelligence, including IBM X-Force Exchange, investigating also client-specific historic data and their security tools. Havyn is currently being tested by select researchers and analysts within IBM Managed Security Services.

%d bloggers like this: